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Who we are: IAB UK/ IAB Europe/ IAB Tech Lab 


—Z—| IAB UK IAB Europe IAB Tech Lab 


What is the | Representing & supporting Representing & supporting the Developing & maintaining 
organisation's the UK digital advertising European digital advertising & technical standards, 
substantive scope / | industry — policy advocacy, marketing ecosystem — policy software and services to 
mission? developing standards and advocacy, best practice exchange, | support the global digital 
good practice (self-regulation) | standards (incl. legal compliance) | advertising ecosystem (e.g. 
OpenRTB protocol) 


Who are the = Companies from across Companies from across the = Companies from across 
members? the digital advertising digital advertising ecosystem — the digital advertising 
ecosystem — advertisers, agencies, media owners, ad ecosystem — advertisers, 
agencies, ad tech, media tech, publishers — operating agencies, ad tech, 
owners and publishers — across Europe publishers — no 
Operating in the UK European National IABs (25 geographical restriction 
including IAB UK) representing on membership 
companies from across the = National IABs (48) 
digital ad & marketing 
ecosystem 
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ICO report: context 
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(using Open IAB Tech L 
other protocols) 


IAB Europe + 
—7"*| TCF Steering Group 
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What can IAB-led responses provide? 


IAB UK | IAB Europe | IAB Tech Lab 


* Trade associations can provide responsible companies with standards and tools to facilitate legal 
compliance and ensure accountability, i.e. by setting out what the appropriate legal and technical 
approaches are to achieving compliance with GDPR & ePrivacy legislation 


e Specifically, the TCF has a critical role to play (v 2.0 and future iterations) 


e Where possible, we (IAB UK, IAB Europe, Tech Lab) want to develop approaches that can be applied in 
a harmonised way at EEA level to avoid fragmentation and maintain the consistency envisaged by 
GDPR 
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IAB UK actions 


Bid analysis (SCD) 
Data mapping 


TCF 


IAB Europe TCF ICO Working Group 


Information Commissioner's Office 


IAB Europe/TCF actions 


IAB Tech Lab 


EDAA 


IAB UK Working Group 
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ICO engagement 
(series of calls and meetings) 


IAB UK event 
5 November 


ICO forum 
19 November 


Activity since June 
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TCF v2 launch 


ICO report 
published. 


Series of face to face technical working 
group meetings/calls 

(Data security, special category data, legitimate 

interest, user information & choices) 


ICO/IAB 
dialogue begins 


(implementation 
Q1 2020) 


Ongoing: IAB UK/IAB Europe Working Groups (+ Tech Lab) 
Identifying potential solutions 
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Recap: purpose & benefits of TCF 


1. Ensures that vendors have an appropriate GDPR lawful basis to process personal data 

2. Implements GDPR-defined consent for ePrivacy compliance 

3. Ensures full transparency into the controllers (vendors) seeking to access devices and process 
personal data 

4. Ensures full transparency about purposes for which vendors wish to access devices and process 
personal data 

5. Control for publishers over partners operating on their sites and apps, so that processing is 
proportionate 

6. Standardised signals to enable accountability 

7. Minimum criteria for UI — disclosure of vendors and purposes, including privacy policy link and legal 
bases. No consent signal generated prior to an “affirmative act”. 


How TCF 2.0 addresses issues identified in the ICO report 


Issue How TCF v 2.0 manages this 
e Lack of transparency e More granular purposes and user-friendly language 
* Improved UI requirements (purposes and link to list of downstream 


vendors in first layer) 
e No pre-ticked consent 
e Actively discussing further Ul policy changes/good practice 


* Lawful basis (GDPR, ePrivacy) e Mandates consent for cookies/similar technologies 
e Separate, opt-in-only control over precise geolocation data and 
active fingerprinting 
* Legitimate interest legal basis e Vendor registration declaration of Ll legal basis requires confirmation 
of LIA 
e Withdrawal of consent and right to * Facilitates both to be signalled; vendors must comply 


object to processing 


* The data supply chain e Publisher control over vendors (who can process & for what purpose) 
e.g. only Vendors X, Y, and Z may process based on Purpose 3 
iab: * Data sharing addressed in policies and governance. 


Enforcement: CMP validator compliance checking programme 


* Updated list on https://advertisingconsent.eu/cmp-list/ with only CMPs that have demonstrated their 
full compliance with both technical and policy checks (at least in a staging environment) 

e 129 CMPs (out of original 188) are compliant 

* Machine readable .json file with names and IDs of only compliant CMPs 

* Official TCF v1.1 Compliant seal to CMPs who have rolled out compliant versions. 

* November 20th deadline for all CMPs to implement live installations of their fully compliant versions. 

e Random spot-checks will be run after November 20th to verify that compliant versions are live. 


* Now updating policy compliance checks on the CMP Validator for v2. 


COMPLIANT v1.1 


8. Transparency 


o 9 and Consent 
iab: Framework 
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TCF v 1 CMP validation: CMP ‘before and after’ 
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Special category data 


* Where special category data does not need to be processed: 


- work with members to agree changes to/rules around the use of the content taxonomy in the bid 
process in the UK i.e. how we ensure certain ‘SCD’ content labels are not used (unless explicit 
consent is obtained) 


- liaise with Tech Lab to consider whether wider changes should be considered to the taxonomy itself 
* Education for the industry on SCD requirements (including engaging with brands and agencies) 


* Identification of SCD use cases/requirements to inform work where special category data does need to 
be processed (in conjunction with ICO) 


iab: 


Data security and safeguarding 


e Identifying and developing good practice and guidance on a risk-based approach to sharing data with 
third parties, covering security of personal data in transit and at rest, covering: 


- Information security standards 
- Due diligence (up front and ongoing) and monitoring of contracts 
- Data minimisation, storage and retention 


* TCF workstream to integrate new/additional requirements into TCF policies to help address these 
issues and propagate good practice 
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Other issues: developing a programme of good practice, guidance, 
resources and education 


e Set out what ‘good’ looks like 
* Help ensure there is a clear understanding of what the law requires 
* Provide the tools and resources to help companies to comply 


- PECR/GDPR requirements for storage and access 
n.b. TCF v 2.0 only allows consent (and not LI) as a legal basis for this purpose 

- Legitimate interest legal basis and LIA requirements 
Inc. working with the ICO to review anonymised example LIAs and potential use cases for data 
processing under GDPR 
n.b. TCF vendor registration now requires vendors declaring LI as a legal basis to confirm they have 
completed an LIA 

- DPIA requirements 
Liaising with other trade bodies (in the UK, + IAB Europe), where possible 


* Continued dialogue and engagement with the ICO on the above 
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Next steps 


e Clear plan and roadmap to be provided to ICO for delivering each workstream 
e Phased approach 

e Prioritising special category data, data security, PECR legal basis education 

e Formalising IAB UK industry response December 2019 
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